Brazilian police have opened an investigation into a shocking cyber-heist that saw at least 540 million reais ( $100 million) stolen from financial institutions in a single night. Here is a case study of how an insider’s treachery circumvented the PIX payment system – and what investigators are doing to rectify it.
What Happened?
Right after midnight on June 30, 2025, C&M Software was victimized by hackers. C&M is a critical service that provides connectivity between Banco do Brasil and Brazil’s instant payment service, called PIX. The hackers used stolen credentials purchased from a compromised insider who sold their credentials. Shortly after compromise, the so-called “hackers” began executing fake PIX transfers against the reserve accounts of six financial institutions at the same time. Estimates show losses ranging from 540 million reais ($100 million) to an upper estimate of 800 million reais ($140 million).
The Insider: João Roque’s Role
Police in São Paulo have apprehended João Nazareno Roque, a 48 year old IT employee at C&M. Roque is accused of selling his system access—including login credentials—for around R$15,000 (≈ $2,700). Reports suggest he facilitated remote access and even helped set up the fraudulent transfer framework. He allegedly claimed the recruitment started earlier this year, initiated through casual contact at a bar and later coordinated via phone and WhatsApp.
Mechanism of the Heist
Once armed with Roque’s credentials, the attackers accessed C&M’s back-end systems—the “bridge” to Pix infrastructure—and launched coordinated fake transfers lasting around 2.5 hours. These operations specifically hit reserve accounts used between institutions, which shielded consumer accounts and prevented public panic.
Follow-the-Money: Crypto Laundering
Investigators and blockchain analysts, including ZachXBT, tracked about $30 to $40 million of the stolen funds funnelled into Bitcoin, Ethereum, and USDT via Latin American OTC exchanges. Authorities have successfully frozen approximately 270 million reais (~$50 million) of illicit assets so far.
Institutional Responses
- Central Bank of Brazil immediately suspended parts of C&M’s access to the PIX network and ordered stricter security oversight following the breach.
- C&M Software maintains the incident resulted from social engineering, not flaws in its controls, and offered full assistance to investigators.
Wider Implications & Takeaways
- Insider Threats Matter Once Again: This incident is a reminder that strong controls may mean little with a credible insider, and the chance of human failure, which is often the last line of defense.
- PIX System Under Pressure: PIX has been used by over 76% of the Brazilian population since November 2020, and is under pressure yet again to strengthen authentication and transaction monitoring controls.
- Crypto as a Path for Laundering: The stolen funds’ movement into cryptocurrencies is a familiar story, and is a reminder that blockchain monitoring is an essential asset for investigating cyber attacks when stolen funds are involved.
- Promoting Supply-Chain Security: The hack is a good reminder for financial services players, in that they must insure their own environments and also will be required to closely monitor their vendors and third-party partner providers.
What’s Next
Investigators are expanding their probe beyond Roque—police say at least four accomplices have been identified. While a significant portion of the stolen money has been recovered, tracking the remaining sum—much of which may have been converted into crypto—is underway. The Central Bank has reinforced security controls, and PIX access via third parties like C&M remains under close scrutiny.
Conclusion
This daring digital heist showcases a warning in the realm of digital currency: a breakdown anywhere in a system, even one as structural as Brazil’s PIX system, can lead to failure because of misplaced assumptions about human trust. As Brazil looks to what it can do to recover funds and improve security, these situations show that defense against cyber crime takes codependence in defense along the chain.
